[go: up one dir, main page]

WO2018120042A1 - Procédé et appareil de distribution de justificatif d'identité - Google Patents

Procédé et appareil de distribution de justificatif d'identité Download PDF

Info

Publication number
WO2018120042A1
WO2018120042A1 PCT/CN2016/113557 CN2016113557W WO2018120042A1 WO 2018120042 A1 WO2018120042 A1 WO 2018120042A1 CN 2016113557 W CN2016113557 W CN 2016113557W WO 2018120042 A1 WO2018120042 A1 WO 2018120042A1
Authority
WO
WIPO (PCT)
Prior art keywords
vtpm
instance
credential
credentials
vnf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/113557
Other languages
English (en)
Chinese (zh)
Inventor
李方展
门方龙
塞尔维亚⋅米哈伊
弗勒斯恰努⋅伊万西尔维乌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201680091967.2A priority Critical patent/CN110121857B/zh
Priority to PCT/CN2016/113557 priority patent/WO2018120042A1/fr
Publication of WO2018120042A1 publication Critical patent/WO2018120042A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and an apparatus for credential distribution.
  • NFV Network Function Virtualization
  • NFV technology can implement some network functions in software on general-purpose hardware.
  • NFV technology can be used to implement partial telecommunications in general-purpose cloud servers, switches, and storage. Network capabilities to enable rapid and efficient deployment of network services.
  • the NFV technology implements the telecommunication network function through a virtualized network function (VNF).
  • VNF virtualized network function
  • the VNF needs to communicate with other network elements in the network through security credentials (or credentials) after initialization.
  • security credentials or credentials
  • a credential is generated, a plurality of network elements can reach the VNF, and the credentials are stolen or fraudulently used.
  • the embodiments of the present invention provide a method and a device for credential distribution, which can reduce the risk that a credential is stolen or fraudulently used.
  • an embodiment of the present invention provides a method for credential distribution, the method comprising: creating a virtual trusted platform module vTPM instance in a network function virtualization infrastructure NFVI to generate credentials or obtaining credentials; the vTPM instance will be The credentials are provided to the virtualized network function VNF instance created by the NFVI.
  • the credential distribution method creates a vTPM instance in the NFVI by applying the vTPM technology to the NFV instantiation process, and generates or obtains a credential generated by the vTPM instance, and provides the VNF instance created based on the NFVI. It ensures that the credentials are not in a trusted environment, which improves the security of credential distribution.
  • the method further includes: the vTPM instance registering the created credential into a certificate authority CA. After the vTPM instance generates the credentials, it registers with the CA, so that the VNF instance can use the obtained credentials to perform a certificate request to the CA.
  • the vTPM instance registers the credential into a certificate authority CA, specifically
  • the method includes: the vTPM instance registering the credential with a CA via a vTPM O&M proxy and a vTPM O&M through a secure channel, the secure channel including an interactive protocol conforming to the TLS, IPsec, or SSH standard. Registering through a specific secure channel makes registration of credentials more secure.
  • the obtaining, by the vTPM instance, the credential specifically includes: obtaining, by the vTPM instance, a credential generated by a certificate issuing center CA.
  • the MANO is managed and arranged to register the VNF with the CA, and the CA generates a corresponding credential according to the VNF registered by the MANO.
  • the vTPM instance on the NFVI obtains the credential generated by the CA, specifically: the CA generates the credential and distributes the credential to the vTPM O&M agent located in the NFVI through the vTPM O&M; the vTPM O&M agent in the NFVI Create a vTPM instance and distribute the credentials to the created vTPM instance.
  • the credential is a one-time credential.
  • One-time credentials are only used in one registration request, making the use of credentials and the application for certificates more secure.
  • the VNF instance uses the credential to perform a certificate request.
  • the VNF can also use the obtained credentials as a PSK.
  • an embodiment of the present invention provides a method for credential distribution, the method comprising: a network function virtualization infrastructure NFVI creates a virtualized network function VNF instance according to a VNF initialization command; the VNF instance from the NFVI Obtain credentials in the virtual trusted platform module vTPM instance.
  • the method further includes: using the credential, the VNF instance requests a certificate from the CA or is used as a PSK.
  • an embodiment of the present invention provides a network function virtualization infrastructure NFVI, which includes a virtual trusted platform module vTPM instance, where the vTPM instance is used to create credentials or obtain credentials, and provide the credentials.
  • the embodiment of the present invention provides a virtual network function VNF instance, which is characterized in that it comprises: a credential obtaining unit, and the credential obtaining unit is configured to obtain a credential from a virtual trusted platform module vTPM instance in the NFVI.
  • the VNF instance further includes a certificate application unit, where the certificate application unit is used for Use the credentials to request a certificate from the CA.
  • the present application also provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the various aspects above.
  • the present application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
  • FIG. 1 is a schematic diagram of a possible NFV network architecture to which an embodiment of the present invention is applied;
  • FIG. 2 is a schematic structural diagram of a system for implementing credential distribution by using vTPM according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a credential distribution method according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a credential distribution method according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a credential distribution method according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a NFVI according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a VNF provided by an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a credential distribution system according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of hardware of a computer device according to an embodiment of the present invention.
  • the network architecture and the service scenario described in the embodiments of the present invention are for the purpose of more clearly illustrating the technical solutions of the embodiments of the present invention, and are not limited to the technical solutions provided by the embodiments of the present invention.
  • the technical solutions provided by the embodiments of the present invention are equally applicable to similar technical problems.
  • FIG. 1 is a schematic diagram of an NFV-based network architecture according to an embodiment of the present invention.
  • the network architecture includes: Network Function Virtualization Orchestrator (Network Function Virtualization Orchestrator (NFVO), Virtualized Network Function Manager (VNFM), Virtualized Infrastructure Manager (VIM), Network Function Virtualization Infrastructure (NFVI), Virtual Machine (VM), Virtualized Network Function (VNF), and Element Manager System (EMS), where NFVO, VNFM, and VIM are management orchestration of NFV systems (Management and Orchestration) , MANO), MANO related functions can be realized by hardware or by software.
  • Network Function Virtualization Orchestrator Network Function Virtualization Orchestrator
  • VNFM Virtualized Network Function Manager
  • VIM Virtualized Infrastructure Manager
  • NFVI Network Function Virtualization Infrastructure
  • VM Virtual Machine
  • VNF Virtualized Network Function
  • EMS Element Manager System
  • a virtualisation container is part of a compute node that provides an isolated virtualized computing environment.
  • An example of a typical virtualization container is a VM.
  • a VM is a virtual device that is simulated on a physical device by virtual machine software. For applications running in virtual machines, these virtual machines work just like real physical devices, which can have operating systems and applications installed on them, and virtual machines can access network resources.
  • VNF also known as virtualized network elements
  • VNF corresponds to physical network functions in traditional non-virtualized networks.
  • the functional behavior and state of the network function is independent of the virtualization of the network function.
  • the VNF can be composed of multiple lower-level components.
  • one VNF can be deployed on multiple VMs, and each VM hosts a Virtualized Network Function Component (VNFC).
  • VNFC Virtualized Network Function Component
  • a VNF can also be deployed on a VM.
  • the VNFM is mainly used to implement the lifecycle management of the VNF instance, including the initialization of the VNF instance, the expansion or contraction of the VNF instance, and the termination of the VNF instance.
  • the EMS is mainly used to perform traditional FCAPS (Fault Management, Configuration Management, Accounting Management, Performance Management and Security Management, fault management, configuration management, billing management, performance management, and security management) functions for the VNF.
  • FCAPS fault Management, Configuration Management, Accounting Management, Performance Management and Security Management, fault management, configuration management, billing management, performance management, and security management
  • the EMS can exist alone or as a VNF with EMS functionality.
  • VIM is mainly responsible for: management, monitoring, and fault reporting of infrastructure layer hardware resources and virtualized resources, and providing virtualized resource pools for upper-layer applications.
  • NFVI is mainly used to provide hardware and virtual resources for the entire system, including hardware resources (including computing, network, and storage), virtualization layer (virtualization of hardware resources into resource pools), and virtual resources (also divided into computing and networking). , storage three parts) composition. From the perspective of VNF, The virtualization layer and hardware resources appear to be an entity that provides the required virtual resources.
  • NFVO Network Service Descriptor
  • VNFD Virtualized Network Function Descriptor
  • VNFFG Virtualized Network Function Forwarding Graph
  • NS Network Service, NS Lifecycle management, and global view of resources.
  • Trusted Environment which is used to protect the operating system and software running on a host (for example, a VM).
  • the TE can be implemented in hardware or in software. Regardless of the implementation, for the VNF, Both are modules that provide trusted computing capabilities and interface calls.
  • CA Certificate Authority: A certificate authority that issues certificates, certificates, and network organizations that have issued certificates.
  • the registration center (RA) verifies the digital certificate provided by the applicant, and the certificate is issued after the CA is verified.
  • the CA is responsible for developing policies and specific steps to verify, identify, and sign user credentials to ensure the identity of the certificate holder and the ownership of the public key.
  • An entity that performs full lifecycle management of digital certificates. A functional organization trusted by one or more users to create and distribute certificates.
  • the certification authority can also create a user key.
  • RA Registration Authority
  • Entities in the PKI system are mainly used to review the identity of applicants.
  • the RA and CA deployments are usually on the unified entity.
  • the RA function is implemented during the certificate issuance process.
  • the embodiments of the present invention collectively refer to the functions of the foregoing CA and/or RA by CA.
  • Credential Also called credential, used for initial identity authentication to prove the legality of the identity of the entity.
  • the credentials can be one-time passwords, tokens, keys, and so on.
  • the virtualization system supports the TE, and the TE may be implemented in hardware or in software.
  • the TE is a module that can provide a trusted computing function and an interface call. If the TE is implemented by software, the TE is part of the VM.
  • the NFVI creates the TE while creating the VM that carries the VNF instance.
  • the accessed TE is the TE assigned by the NFVI to the VNF instance. Similar to the hardware TE, NFVI cannot access the data stored by the software TE, nor can it use the function of the software TE.
  • FIG. 2 is a schematic diagram of a system architecture for implementing credential distribution by using the vTPM technology according to an embodiment of the present invention.
  • vTPM is one of the TPM virtualization solutions, which enables each virtual machine to obtain complete trusted computing functions in a virtualized environment. Through the virtual trusted platform module, the secure storage and encryption functions of the TPM can be used in the VM. .
  • the vTPM instance is a TPM in a VM. Each VM that requires the TPM function is associated with a unique vTPM instance throughout the lifetime, that is, one-to-one correspondence.
  • NFVI supports deploying a vTPM for each VNF.
  • the credentials are generated by a trusted environment or trusted module constructed by vTPM technology, and the credentials are not known to any non-owners.
  • the vTPM O&M (management module) in Figure 2 is used to manage the creation and deletion of vTPM instances. It belongs to a centralized control point and can be located in the VIM, VNFM, NFVO, etc. in MANO. Generally, vTPM O&M is located in VIM. If located in NFVO/VNFM, it can be combined with security orchestration;
  • vTPM O&M agent proxy process for performing vTPM instance creation and deletion on each hypervisor (also called VMM, virtual machine monitor), including allocating vTPM AIK/EK information, vTPM O&M agent controlled by vTPM O&M .
  • the vTPM O&M agent is located in the NFVI and can be understood as a TPM proxy process on the I layer.
  • FIG. 3 is a schematic diagram of a method for distributing a credential according to an embodiment of the present invention.
  • the method uses the system architecture supporting the vTPM technology provided by the system of FIG. 2 to perform the following methods, including:
  • the virtual trusted platform module vTPM instance generates a credential or obtains a credential, and the vTPM instance is created on the NFVI;
  • the VNF instance obtains credentials from the vTPM instance.
  • the VNF instance After the VNF instance obtains the credential, it can be used to apply for a certificate to the CA, or can be used as a pre-shared key (PSK), which is not limited in the embodiment of the present invention.
  • PSK pre-shared key
  • the vTPM instance may pass the created credentials to the vTPM O&M, vTPM O&M before the VNF instance obtains the credentials.
  • the agent is finally registered to the CA. Since the credentials are already registered in the CA before being obtained by the VNF instance, the CA authenticates the VNF, and it is more secure for the VNF instance to use the credentials to apply for a certificate to the CA.
  • the credential may be generated by the CA and written into the vTPM instance by the vTPM O&M, vTPM O&M agent during the instantiation of the vTPM.
  • the CA may generate a credential corresponding to the VNF after receiving the request for registering the VNF sent by the MANO, and send the credential to the corresponding vTPM instance.
  • the vTPM technology is applied to the NFV instantiation process to create a vTPM instance in the NFVI, and the vTPM instance generates or obtains a credential, and provides the VNF instance created based on the NFVI to ensure that the credential is not trusted. Environment, which increases the security of credential distribution.
  • FIG. 4 is a schematic diagram of a method for distributing a credential according to an embodiment of the present invention.
  • a vTPM instance is used to generate a credential for a VNF instance, and is registered with a CA center.
  • the specific process is as follows:
  • At least one vTPM instance created by the vTPM O&M and vTPM O&M agents already exists in the NFVI, and at least one VNF instance created by the NFVI already exists in the system.
  • the vTPM instance generates a credential according to the control of the vTPM O&M, where the credential is generally a one-time credential, such as a one-time password;
  • the vTPM instance forwards the credential to the vTPM O&M proxy.
  • the vTPM O&M agent forwards the credential to the vTPM O&M;
  • vTPM O&M registers the credentials with the CA, and generally completes the registration of the credentials through a secure channel, such as TLS, IPsec, SSH protocol, and the like;
  • the VNF instance reads the credentials in the vTPM.
  • the VNF instance uses the credential to apply for a certificate to the CA;
  • the credential Since the credential has been registered to the CA in step S404, the credential is trusted for the CA, and after the VNF obtains the credential, the certificate can be applied to the CA.
  • a vTPM instance located in the NFVI generates a credential
  • the VNF instance created by the NFVI obtains the credential from the vTPM instance to ensure secure distribution of the credential
  • the vTPM instance generates the credential and further registers with the CA.
  • the VNF instance can be further used to perform certificate application to the CA by using the obtained credentials, and the credential is generated by the vTPM instance, instead of being generated by the CA and then sent to the vTPM, which can reduce the burden of the CA.
  • FIG. 5 is a schematic diagram of communication of a credential distribution method according to an embodiment of the present invention.
  • a CA allocates credentials to a VNF, and the method includes:
  • VNF identity information with the CA, and the identity information includes a VNF ID;
  • the MANO registers the VNF identity information, including the VNF ID, with the vTPM O&M.
  • the CA generates a credential, which is generally a one-time credential, such as a one-time password; the credential generated by the CA corresponds to the VNF ID registered by the MANO;
  • the CA distributes the credential to the vTPM O&M, and generally sends the credential to the vTPM O&M through a secure channel, such as TLS, IPsec, SSH, etc.; the message distributed by the CA to the vTPM O&M generally carries the VNF ID and the credential. Correspondence relationship, so that vTPM O&M confirms the VNF corresponding to the credential;
  • the vTPM O&M initiates a vTPM instance indication to the vTPM O&M Agent, and distributes the credentials.
  • vTPM O&M Agent creates a vTPM and writes credentials
  • the vTPM instance obtained after the instantiation will also obtain the credentials corresponding to the VNF;
  • the S509 and the VNF instance obtain the credentials from the vTPM instance.
  • the credentials obtained by the VNF at this time are the credentials generated by the CA corresponding to the VNF ID;
  • the S510 and the VNF instance use the credentials to apply for a certificate
  • the credential is generated by the CA, and the credential is written into the vTPM instance during the vTPM instantiation process, and is provided to the VNF to ensure that the credential does not have a feasible environment.
  • the security of credential distribution is improved.
  • the CA generates credentials and verifies it by itself, which is more secure.
  • the MANO may be any of NFVO, VNFM, and VIM.
  • the VNF instantiation/initialization command may be sent to the NFVI through the VIM.
  • the manner in which the NFVI creates a VNF instance according to the VNF initialization command is a well-known technology in the art, and details are not described herein.
  • each network element such as an NFVI, a vTPM instance, and a VNF instance, in order to implement the above functions, includes corresponding hardware structures and/or software modules for performing various functions.
  • NFVI NFVI
  • vTPM instance vTPM instance
  • VNF instance vTPM instance
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the embodiments of the present invention may perform functional unit division on the NFVI, the vTPM instance, and the VNF instance according to the foregoing method example.
  • each functional unit may be divided according to each function, or two or more functions may be integrated into one processing.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.
  • FIG. 6 shows a possible structural diagram of the NFVI involved in the above embodiment.
  • NFVI600 includes: vTPM instance;
  • the vTPM instance is configured to generate credentials or obtain credentials and provide the credentials to the VNF instance created by the NFVI.
  • NFVI in addition to the features of the present invention, is in compliance with the relevant provisions of the European Telecommunication Standards Institute (ETSI).
  • ETSI European Telecommunication Standards Institute
  • the NFVI for generating security credentials provided by the embodiment of the present invention conforms to the following documents. [1] and the definition of NFVI in [2],
  • ETSI GS NFV 002 "Network Functions Virtualisation (NFV); Architectural Framework,
  • ETSI GS NFV 003 Network Functions Virtualisation (NFV); Terminology for main concepts in NFV.
  • the NFVI provided by the embodiment of the present invention can reduce the risk of security credential leakage by using the vTPM instance to generate or obtain the security credential and provide the VNF instance to the VNF instance.
  • FIG. 7 shows a possible structural diagram of the VNF example involved in the above embodiment.
  • the VNF instance 700 includes a credential obtaining unit that is configured to obtain credentials from a virtual trusted platform module vTPM instance in the NFVI.
  • the VNF instance further includes a certificate requesting unit, where the certificate requesting unit is configured to apply for a certificate to the CA by using the credential.
  • the VNF instance provided by the embodiment of the present invention can reduce the network element experienced after the full credential generation by obtaining the credential from the vTPM instance in the NFVI.
  • the risk of the credentials being compromised, and the credentials can be further utilized to request a certificate from the CA.
  • the embodiment of the present invention further provides a credential distribution system.
  • the credential distribution system 800 includes an NFVI, an NFV instance.
  • the NFVI is configured to generate a credential or obtain a credential through a virtual trusted platform module vTPM instance created thereon, and provide the credential to the VNF instance created by the NFVI;
  • the NFV instance is used to obtain credentials from a virtual trusted platform module vTPM instance in the NFVI.
  • the system may further include a CA center for receiving the NFV instance according to the The certificate request is sent by the credential, and after the credential verification is passed, the certificate is sent to the NFV instance.
  • FIG. 9 is a schematic diagram showing the hardware structure of a computer device 900 according to an embodiment of the present application.
  • computer device 900 includes a processor 902, a memory 904, a communication interface 906, and a bus 908.
  • the processor 902, the memory 904, and the communication interface 906 implement a communication connection with each other through the bus 908.
  • the processor 902 can be a general-purpose central processing unit (CPU), a microprocessor, an application specific integrated circuit (ASIC), or one or more integrated circuits for executing related programs.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the memory 904 may be a read only memory (ROM), a static storage device, a dynamic storage device, or a random access memory (RAM).
  • Memory 904 can store operating system 9041 and other applications 9042.
  • the program code for implementing the technical solution provided by the embodiment of the present application is saved in the memory 904 and executed by the processor 902.
  • Communication interface 906 implements communication with other devices or communication networks using transceivers such as, but not limited to, transceivers.
  • Bus 908 can include a path for communicating information between various components (e.g., processor 902, memory 904, communication interface 906).
  • the processor 902 is configured to: configure a virtual trusted platform module vTPM instance on the VNFI, where the vTPM instance generates credentials or obtains credentials;
  • the vTPM instance provides the credential to the VNF instance created by the NFVI;
  • the processor 902 is configured to: obtain credentials from the virtual trusted platform module vTPM instance in the NFVI, and further utilize the credentials to request a certificate from the CA.
  • the embodiment of the present application further provides a computer storage medium, which can store program instructions for indicating any of the above methods.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another The system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in or transmitted by a computer readable storage medium.
  • the computer instructions can be from a website site, computer, server or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) Transfer from a computer, server, or data center.
  • the computer readable storage medium can be any available media that can be accessed by a computer.
  • the computer instructions can be stored or transmitted using a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)).
  • SSD Solid State Disk

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Des modes de réalisation de la présente invention concernent un procédé de distribution de justificatif d'identité. Le procédé comprend les étapes suivantes : une infrastructure de virtualisation de fonction de réseau (NFVI) utilise une instance de module de plateforme de confiance virtuelle (vTPM) créée sur celui-ci pour créer un justificatif d'identité ou acquérir un justificatif d'identité ; et la NFVI fournit le justificatif d'identité à une instance de VNF créée par la NFVI. Le procédé de distribution de justificatif d'identité fourni dans les modes de réalisation de la présente invention peut réduire les risques d'une fuite de justificatif d'identité de sécurité.
PCT/CN2016/113557 2016-12-30 2016-12-30 Procédé et appareil de distribution de justificatif d'identité Ceased WO2018120042A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201680091967.2A CN110121857B (zh) 2016-12-30 2016-12-30 一种凭据分发的方法和设备
PCT/CN2016/113557 WO2018120042A1 (fr) 2016-12-30 2016-12-30 Procédé et appareil de distribution de justificatif d'identité

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/113557 WO2018120042A1 (fr) 2016-12-30 2016-12-30 Procédé et appareil de distribution de justificatif d'identité

Publications (1)

Publication Number Publication Date
WO2018120042A1 true WO2018120042A1 (fr) 2018-07-05

Family

ID=62707799

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/113557 Ceased WO2018120042A1 (fr) 2016-12-30 2016-12-30 Procédé et appareil de distribution de justificatif d'identité

Country Status (2)

Country Link
CN (1) CN110121857B (fr)
WO (1) WO2018120042A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233205A1 (fr) * 2019-05-22 2020-11-26 华为技术有限公司 Procédé et dispositif de gestion de service de conteneur

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111212071B (zh) * 2019-12-31 2022-04-01 奇安信科技集团股份有限公司 信息处理方法及其装置、电子设备和介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105264818A (zh) * 2014-05-08 2016-01-20 华为技术有限公司 一种证书获取方法和设备
CN105284091A (zh) * 2014-05-08 2016-01-27 华为技术有限公司 一种证书获取方法和设备
WO2016026129A1 (fr) * 2014-08-22 2016-02-25 Nokia Technologies Oy Infrastructure de sécurité et de confiance pour réseaux virtualisés
US9294282B1 (en) * 2013-07-01 2016-03-22 Amazon Technologies, Inc. Cryptographically verified repeatable virtualized computing
CN105718760A (zh) * 2014-12-23 2016-06-29 英特尔公司 在云中进行许可

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047440A (zh) * 2006-05-10 2007-10-03 华为技术有限公司 一种业务路径返回的方法
CN104113574B (zh) * 2013-04-19 2017-04-12 中国科学院计算技术研究所 一种广域网可信虚拟机的安全迁移方法及系统
US9652631B2 (en) * 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9294282B1 (en) * 2013-07-01 2016-03-22 Amazon Technologies, Inc. Cryptographically verified repeatable virtualized computing
CN105264818A (zh) * 2014-05-08 2016-01-20 华为技术有限公司 一种证书获取方法和设备
CN105284091A (zh) * 2014-05-08 2016-01-27 华为技术有限公司 一种证书获取方法和设备
WO2016026129A1 (fr) * 2014-08-22 2016-02-25 Nokia Technologies Oy Infrastructure de sécurité et de confiance pour réseaux virtualisés
CN105718760A (zh) * 2014-12-23 2016-06-29 英特尔公司 在云中进行许可

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ETSI: "Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance", ETSI GR NFV-SEC 003 V1.2.1, 31 August 2016 (2016-08-31), XP055509690 *
SU , JIAN ET AL.: "VNF Lifecycle Security Management Measures in NFV", TELECOMMUNICATIONS SCIENCE, 20 November 2016 (2016-11-20) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233205A1 (fr) * 2019-05-22 2020-11-26 华为技术有限公司 Procédé et dispositif de gestion de service de conteneur

Also Published As

Publication number Publication date
CN110121857A (zh) 2019-08-13
CN110121857B (zh) 2021-02-09

Similar Documents

Publication Publication Date Title
US11695757B2 (en) Fast smart card login
US10523658B2 (en) Securing a data connection for communicating between two end-points
CN107548499B (zh) 用于虚拟网络功能的安全自举的技术
US10841316B2 (en) Dynamic access control to network resources using federated full domain logon
KR102036758B1 (ko) 빠른 스마트 카드 로그온 및 연합된 풀 도메인 로그온
US10826905B2 (en) Secure access to on-premises web services from multi-tenant cloud services
US10397778B2 (en) Computer network providing secure mobile device enrollment features and related methods
US10331882B2 (en) Tracking and managing virtual desktops using signed tokens
US9509692B2 (en) Secured access to resources using a proxy
AU2024278515A1 (en) Ophthalmic delivery device
US9935937B1 (en) Implementing network security policies using TPM-based credentials
JP7758735B2 (ja) ハードウェア・セキュリティ・モジュールのリモート管理
US11522847B2 (en) Local mapped accounts in virtual desktops
WO2015143651A1 (fr) Procédé, appareil et système de configuration de certificat faisant appel à la virtualisation de fonction de réseau
US20240380610A1 (en) Secure communications between edge clusters and cluster management system
US11366883B2 (en) Reflection based endpoint security test framework
CN116208501A (zh) Nfv中的tee资源编排方法、系统、设备及存储介质
CN110121857B (zh) 一种凭据分发的方法和设备
CN110115012B (zh) 一种秘密信息的分发方法和设备
WO2018040095A1 (fr) Procédé et dispositif de génération de justificatif de sécurité
WO2019015563A1 (fr) Procédé et dispositif de génération de justificatifs d'initialisation pour une fonction de réseau virtuel (vnf)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16925913

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16925913

Country of ref document: EP

Kind code of ref document: A1